OpenID Connect Implementation

The AAF is currently running a best efforts preview of OpenID Connect (OIDC) connectivity. In OIDC terms the AAF is operating an OpenID Provider (OP) which can authenticate users who have an account at any AAF connected SAML IdP.

Best efforts means we're operating our OP without components such as documentation, integration to the AAF support team, marketing sites etc. This will be available in time but we have other commitments to attend to first. Our technical team will keep a close eye on the OP during normal business hours but we aren't committed to any specific uptime just yet. We've been running with this model since July 2018, during that time our monitoring shows that outside of a few seconds when we've deployed a new release, it has had no downtime.

Our OP has been tested against the OIDC conformance testing framework and passes for the Authorization Code and Implicit flows. We also have some support inbuilt for Hybrid flows depending on needs.

Our OP is available to AAF subscribers who feel confident in undertaking OIDC integration work and creating their own Relying Party (RP). Libraries that do most of the RP implementation work are available as open source for all languages we've looked into. GitHub is an excellent source as is

To request registration of an RP please email and include:

  1. Your Redirect URL (A redirect URL based on an actual URL rather than IP address and this must be using HTTPS).

  2. A descriptive name for your service

  3. Your organisation name (Must be an AAF subscriber)

  4. An indication of if your service is being used for developing/testing purposes or if it is a production ready service.

Once received our technical team will reach out to setup a secure messaging environment with you, via If you don't have an existing account on this service you can create one free of charge. Once we're securely connected we'll supply values for your RP that are generated during registration including Client ID and secrets.

Finally we support the OpenID Provider Configuration Information endpoint. You can acquire detailed information on the support provided by our OP by querying these endpoints at for production and for test. 

Details for the production federation are replicated below:

$ curl | jq

  "issuer": "",
  "authorization_endpoint": "",
  "token_endpoint": "",
  "jwks_uri": "",
  "id_token_signing_alg_values_supported": [
  "subject_types_supported": [
  "response_types_supported": [
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  "scopes_supported": [
  "userinfo_endpoint": "",
  "claim_types_supported": [
  "claims_locales_supported": [
  "claims_parameter_supported": false,
  "display_values_supported": [
  "grant_types_supported": [
  "op_policy_uri": "",
  "op_tos_uri": "",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
  "service_documentation": "",
  "token_endpoint_auth_methods_supported": [
  "ui_locales_supported": [
  "userinfo_signing_alg_values_supported": [